Attackers Can Use IPv6 to Launch Man-in-the-Middle Attacks

Attackers are already using IPv6 networks to attack users on IPv4 networks. One security researcher outlines one possible attack scenario.

Organizations face several information
security challenges as they transition from IPv4 to IPv6, according to security
experts. The difficulties are compounded by the fact that some attackers are
using the IPv6 address space to sneak attacks onto IPv4 networks.
Even though the transition to IPv6 has been notoriously slow
amongst organizations, many cyber-criminals have already made the switch, James
Lyne, director of technology strategy at Sophos, told eWEEK. Many scammers are
pushing out spam over the IPv6 infrastructure and taking advantage of
misconfigured firewalls.

Many modern firewalls are configured by
default to just let IPv6 traffic pass through, Lyne said. Organizations not
interested in IPv6 traffic should be setting up rules to explicitly block IPv6
packets, according to Lyne. IT managers need "to know how to talk IPv6" so they
can write appropriate rules to handle the protocol correctly, he said.

"From an industry standpoint, we are
selling IPv6 wrong," Lyne said, noting there has been little discussion about
how the protocol's built-in features help increase privacy. Instead, the
general perception of IPv6 as being hard to implement or confusing has made
organizations vulnerable to potential attacks.
As a general rule, IPv4 and IPv6
networks operate in parallel. Computers with the legacy IPv4 addresses can't
access servers and Websites operating on the newer IPv6 address space. With the near-exhaustion of IPv4 addresses, organizations
are being encouraged to switch over to IPv6 or be unable to get newer IP
addresses. The Asia Pacific Network Information Center, the registration Internet
registry responsible for assigning IP addresses to the Asia-Pacific region,
recently announced that all new requests will be assigned IPv6 addresses.
A security researcher has recently
identified a scenario in which attackers could launch man-in-the-middle attacks
over an IPv6 network. Attackers would overlay a "parasitic" IPv6 network on top
of the targeted IPv4 network to intercept Internet traffic, Alec Waters, a
security researcher for InfoSec Institute, wrote on the institute's blog
on April 4. His proof-of-concept attack considered only Windows 7 systems, but
would also work on Windows Vista, Windows 2008 Server and any operating system
with IPv6 enabled by default, Waters said.

For the attack to succeed, the attacker
would need to gain physical access to the targeted network long enough to
connect an IPv6 router, according to Waters. In the case of a corporate
network, the attacker would need to connect the IPv6 router to the existing IP4
hub, but for a public WiFi hotspot, it may be as simple as dropping an IPv6
router to piggyback on the wireless signal.
The rogue IPv6 router would
automatically create new IPv6 addresses using fake router advertisements for
all the IPv6-enabled machines on the network.
Router advertisements act like DHCP
(Dynamic Host Configuration Protocol) for IPv6 addresses, as it provides a pool
of addresses that a host can pick up, according to Johannes Ullrich, chief
research officer at SANS Institute. Machines can become IPv6-ready
without the user or IT manager knowing.
Even though the system already has an
IPv4 address assigned by the enterprise, it gets shuffled onto the IPv6 network
because of the way the operating system handles IPv6. Modern operating systems
default to IPv6 as the preferred connection by design if the machine has both
IPv6 and IPv4 addresses assigned, according to Lyne.
Since the IPv6 systems can't
communicate with the enterprise's actual IPv4 router, the systems have to go
through the malicious router, Waters said. Attackers can then use a tunnel to
translate IPv6 addresses to IPv4, such as NAT-PT, he said. NAT-PT is an
experimental IPv4-to-IPv6-transition mechanism, but it's not a widely supported
mechanism because of its many issues.
"Just because it's an obsolete mess
doesn't mean it can't be useful," Waters said.
With NAT-PT, machines with IPv6
addresses access the IPv4 Internet through the malicious router, giving
attackers full visibility in their Internet activity, he said.
The severity of the attack is under
dispute, according to Jack Koziol, a senior instructor and security program
manager at InfoSec Institute. According to the vulnerability listing on the Common Vulnerabilities and Exposures list
(maintained by MITRE), "it can be argued that preferring IPv6 complies
with RFC 3484 [the IPv6 protocol], and that attempting to determine the
legitimacy of an RA is currently outside the scope of recommended behavior of
host operating systems."
Organizations that don't need IPv6 or
haven't made the transition yet should turn off IPv6 on all systems, according
to Ullrich. Otherwise, the organization should "monitor and defend it like
IPv4," Ullrich said.